Title of Report [omit “Audit of”]
Description
March 2008 Report No. AUD-08-006 FDIC’s Replacement and Disposal Process for Laptop Computers AUDIT REPORT Report No. AUD-08-006 March 2008 FDIC’s Replacement and Disposal Process for Laptop Computers Federal Deposit Insurance Corporation Audit Results Why We Did The Audit The FDIC established and implemented generally adequate controls over The objective of the audit was to the replacement and disposal process for laptop computers. Specifically, determine whether the FDIC had we noted that the FDIC had implemented a consistent and complete established and implemented adequate controls over the replacement and deployment of laptop computers during 2007 in each of the offices we disposal process for laptop computers. reviewed. Further, DIT personnel at each location we visited maintained documentation in accordance with the DIT Guidelines. All 3,905 laptop computers purchased by the FDIC were received and recorded in the FDIC’s Remedy® laptop inventory within the timeframes established by Background DIT. Finally, as stipulated in the new laptop purchase order, the FDIC received a discount for its used laptop computers. During 2007, the FDIC purchased 3,905 Lenovo T60 Thinkpad laptop computers and related hardware for a total cost of We also found that opportunities exist for the FDIC to enhance controls ...
Informations
| Publié par | Zaur |
| Nombre de lectures | 35 |
| Langue | English |
Extrait
March 2008 Report No. AUD-08-006
FDIC s Replacement and Disposal ’ Process for Laptop Computers
UDIT REPORT
Federal Deposit Insurance Corporation Why We Did The Audit The objective of the audit was to determine whether the FDIC had established and implemented adequate controls over the replacement and disposal process for laptop computers. Background During 2007, the FDIC purchased 3,905 Lenovo T60 Thinkpad laptop computers and related hardware for a total cost of approximately $7.8 million. The new laptops would provide FDIC employees with faster system/software perform-ance, extended battery life, increased disk storage space, and a larger display screen. In addition, the new laptops include Pointsec for PC (Pointsec) encryption software to enhance the security of corporate data. The FDIC’s Division of Information Technology (DIT) was responsible for the 2007 laptop deployment project. FDIC Circular 1380.3, Laptop Computer Assignments, Safeguards, and Asset Management , dated April 1999, establishes policies and procedures for managing FDIC-owned laptop computers throughout their life cycle. In addition, in July 2007, DIT issued Guidelines for New Laptop Deployment (DIT Guidelines), which provides detailed procedures for the replacement and disposal of laptops, including procedures for the disposition of the hard drives from used laptops in order to protect sensitive data they may contain. An inventory of laptop computers owned by the FDIC is maintained in the FDIC’s Remedy ® Asset Management Module. DIT used Remedy ® to track the deployment of the new laptop computers and the collection of used laptops.
Report No. AUD-08-006 March 2008 FDIC’s Replacement and Disposal Process for Laptop Computers Audit Results The FDIC established and implemented generally adequate controls over the replacement and disposal process for laptop computers. Specifically, we noted that the FDIC had implemented a consistent and complete deployment of laptop computers during 2007 in each of the offices we reviewed. Further, DIT personnel at each location we visited maintained documentation in accordance with the DIT Guidelines. All 3,905 laptop computers purchased by the FDIC were received and recorded in the FDIC’s Remedy® laptop inventory within the timeframes established by DIT. Finally, as stipulated in the new laptop purchase order, the FDIC received a discount for its used laptop computers. We also found that opportunities exist for the FDIC to enhance controls for the continuous replacement and disposal process for laptop computers in the following areas. It is important to note that the FDIC will continue to replace malfunctioning computers. • FDIC Circular 1380.3 does not reflect the current business environment for managing the FDIC’s laptop computer inventory and does not define the FDIC’s policy for the disposal of laptop computer hard drives. This limits the FDIC’s assurance that its laptop computer inventory, including hard drives that may contain sensitive information, are effectively managed. • Current hard drive destruction practices present a risk that a computer hard drive could be lost and subject to unauthorized access. • Remedy® lacks sufficient access controls to ensure that complete and accurate inventory records are maintained for the FDIC’s laptop computers and does not track replacement laptops for malfunctioning computers. These control deficiencies limit the FDIC’s assurance regarding the integrity of its laptop computer inventory. Recommendations and Management Response We recommended that FDIC management (1) update Circular 1380.3 to reflect the FDIC’s current business environment for managing its laptop computer inventory and to define policy for the disposal of hard drives; (2) implement additional measures that mitigate the risk of a computer hard drive being lost during the destruction process and subject to unauthorized access ; and (3) establish procedures to track and record the replacement of laptop computers returned to the vendor for replacement or service. Management concurred with our recommendations and is taking responsive corrective actions.
To view the full report, go to www.fdicig.gov/2008reports.asp
1 2 2 2 3 3 5 6 6 7 7
Contents Page BACKGROUND Guidance Related to Laptop Computers DIT Guidelines on Laptops FDIC Policies and Procedures Related to Laptops Federal Law and Guidelines The FDIC’s Laptop Deployment Process RESULTS OF AUDIT FDIC POLICIES AND PROCEDURES FOR MANAGING THE LAPTOP COMPUTER INVENTORY Changes in the FDIC’s Business Environment and Procedures for Managing Laptop Computers Laptop Computer Hard Drives Recommendation on FDIC Policies and Procedures for Managing the Laptop Computer Inventory HARD DRIVE DESTRUCTION PRACTICES Current Destruction Process for Hard Drives Plans for Destroying Additional Hard Drives Recommendation on Hard Drive Destruction Practices THE FDIC’s ASSET MANAGEMENT MODULE Data Controls in the Remedy® Inventory System Laptops Returned to the Vendor Recommendation on Procedures for Tracking Replacement Laptops CORPORATION COMMENTS AND OIG EVALUATION APPENDICES 1. OBJECTIVE, SCOPE, AND METHODOLOGY 2. CORPORATION COMMENTS 3. MANAGEMENT RESPONSE TO RECOMMENDATIONS TABLE Summary of Control Enhancements Needed FIGURES 1. Hard Drive Destruction at the Recycling Facility 2. The FDIC’s 2007 Replacement and Disposal Process for Laptop Computers
7 7 8 8 8 9 9 10 10
11 14 16
5 2 4
Office of Audits Office of Insector Gene ral
Federal Deposit Insurance Corporation 3501 Fairfax Drive, Arlington, VA 22226 DATE: March 12, 2008 MEMORANDUM TO: Michael E. Bartell Chief Information Officer and Director, Division of Information Technology /Signed/ FROM: Russell A. Rau Assistant Inspector General for Audits SUBJECT: FDIC’s Replacement and Disposal Process for Laptop Computers (Report No. AUD-08-006) This report presents the results of the subject audit. The FDIC’s Division of Information Technology (DIT) was responsible for the 2007 laptop computer deployment project to upgrade the FDIC’s laptop computer inventory. The objective of the audit was to determine whether the FDIC had established and implemented adequate controls over the replacement and disposal process for laptop computers. We conducted this performance audit in accordance with generally accepted government auditing standards. Appendix 1 of this report discusses our audit objective, scope, and methodology in detail. BACKGROUND Under a contract with SRA International, Inc. (SRA), the FDIC purchased 3,905 Lenovo T60 Thinkpad laptop computers and related hardware from World Wide Technology, Inc. (WWT) for a total cost of approximately $7.8 million. The new laptop computers provide FDIC employees with faster system/software performance, extended battery life, increased disk storage space, and a larger display screen. In addition, the new laptop computers were deployed with Pointsec for PC (Pointsec) 1 encryption software to enhance the security of corporate data. Under the laptop computer purchase order, the FDIC received a discount for trading in its used laptop computers, without the hard drives.
1 Pointsec encrypts all data on the laptop computer’s hard drive as a safeguard in the event the laptop is lost or stolen.
A record of all laptop computers owned by the FDIC is maintained in Remedy®, 2 which also includes the assignment history of the laptops. DIT used Remedy® to track the deployment of the new laptop computers and the collection of the used laptops. Guidance Related to Laptop Computers DIT Guidelines on Laptops . In July 2007, DIT issued Division of Information Technology Guidelines for New Laptop Deployment (DIT Guidelines), which provides detailed procedures for the replacement and disposal of laptop computers. The DIT Guidelines also provide procedures for the storage and destruction of the hard drives from used laptops in order to protect sensitive data the hard drives may contain. Specifically, the DIT Guidelines state that the DIT Distribution Center (DDC) is responsible for ensuring that used laptop computer hard drives are destroyed by shredding. At the time of our audit, DDC personnel were destroying laptop computer hard drives by transporting them to a suburban Washington, D.C., recycling facility where the hard drives were placed into an automobile that was then crushed and fed into an industrial shredding machine (see Figure 1 below). DDC personnel are to remain on-site to witness the shredding. Figure 1: Hard Drive Destruction at the Recycling Facility
Source: OIG observation of the hard drive destruction at the recycling facility. FDIC Policies and Procedures Related to Laptops . The FDIC has established the following policies and procedures that relate to the replacement and disposal process for laptop computers: • FDIC Circular 1380.3, Laptop Computer Assignments, Safeguards, and Asset Management , dated April 13, 1999, establishes policies and procedures for managing FDIC-owned laptop computers throughout their life cycle.
2 Remedy® consists of a suite of applications used for incident, problem change, service-level, and asset management. DIT uses the Asset Management Module of Remedy® to track laptop computers.
2
• FDIC Circular 3200.1, Disposition of Corporation-Owned Property , dated August 25, 2004, establishes procedures for ensuring that Corporation-owned property is reallocated and/or disposed of in a uniform and effective manner; and • FDIC Circular 1360.9, Protecting Sensitive Information , dated April 30, 2007, establishes policy on protecting sensitive information stored on FDIC laptop computers. Federal Law and Guidelines . The following summarizes federal guidance related to the destruction of laptop computer hard drives. • The Federal Information Security Management Act of 2002 (FISMA) defines federal agency responsibilities for information security, including assessing risks associated with, among other things, the unauthorized access to information systems, which includes information technology (IT) equipment. 3 This provision of FISMA requires that federal agencies develop, document, and implement policies and procedures that cost-effectively reduce such information security risks to an acceptable level. • The National Institute of Standards and Technology (NIST) issued guidelines that 4 federal agencies should consider in relation to information system security. NIST Special Publication (SP) 800-88, Guidelines for Media Sanitization, dated September 2006, provides guidelines for organizations to make practical sanitization decisions based on the level of confidentiality of their sensitive information. NIST SP 800-88 recommends the destruction of hard drives containing sensitive information by disintegrating, shredding, pulverizing, or incinerating. Additionally, NIST SP 800-53 Revision 1, Recommended Security Controls for Federal Information Systems , dated December 2006, recommends among other things, that organizations employ appropriate sanitization techniques for their information system media. The FDIC’s Laptop Deployment Process The FDIC’s laptop computer deployment process consisted of retrieving used laptops from FDIC users, migrating user data, configuring new laptops, and removing hard drives from the used laptops. DIT developed a laptop computer deployment schedule using Remedy®, which identified users at each FDIC site. At the FDIC’s headquarters buildings, 5 DIT oversaw the laptop computer deployment, which was conducted by SRA personnel. DIT personnel conducted the laptop computer deployment at the FDIC’s 3 The FDIC has determined that the provision of FISMA at issue here is legally binding on the FDIC. 4 NIST special publications are, by their own terms, guidelines (rather than mandatory requirements) for agencies in implementing their IT operations. 5 Headquarters includes two buildings in Washington, D.C., and the Virginia Square buildings in Arlington, Virginia.
3
The DDC updates Remedy ® with the serial numbers for new laptops.
regional and field offices. Figure 2 below further illustrates the FDIC’s 2007 replacement and disposal process for laptop computers. Figure 2: The FDIC’s 2007 Replacement and Disposal Process for Laptop Computers The DDC receives a list of serial numbers from WWT for new laptops shipped to the FDIC’s locations. SRA/DIT installer and the FDIC user complete and sign a hand bill receipt. SRA/DIT personnel conducting the laptop deployment update Remedy ® using the hand bill information.
At deployment date, the used laptop is removed, and a new laptop is provided to the user. The hard drive from the used laptop is removed and stored for 120 days in the event the data are needed. The used laptop is then shipped to DDC.
DDC ships used laptops to the asset recovery servicer for credit and updates Remedy ® .
After 120 days, DIT personnel in the regional/ field offices drill four holes into the hard drives prior to shipping them to the DDC in order to provide added security in the event a hard drive is lost during shipment.
DDC personnel take all hard drives (those from headquarters locations and those shipped from regional/field offices) to a recycling facility for shredding. Then, DDC personnel update the hard drive inventory in Remedy ® .
4
DIT/SRA personnel update the laptop deployment. SRA/DIT personnel create the hard drive schedule that identifies the hard drive serial number, laptop serial number, user name, and hard drive removal and destruction dates.
RESULTS OF AUDIT The FDIC established and implemented generally adequate controls over the replacement and disposal process for laptop computers. Specifically, we noted that the FDIC had implemented a consistent and complete deployment of laptop computers during 2007 in each of the offices we reviewed and that DIT personnel at each location we visited maintained documentation in accordance with the DIT Guidelines. 6 In addition, all 3,905 laptop computers purchased by the FDIC were received and recorded in the FDIC’s Remedy® laptop inventory within the timeframes established by DIT. Further, as stipulated in the new laptop purchase order, the FDIC received a discount for its used laptop computers. Such results are positive. However, opportunities exist for the FDIC to enhance its controls for the continuous replacement and disposal process for laptop computers (see the table below). It is important to note that the FDIC will continue to replace malfunctioning computers. Summary of Control Enhancements Needed Control Issue Enhancement Needed FDIC Circular 1380.3, La to Com uter U date Circular 1380.3 to reflect the Assi nments, Sa e uards, and Asset Mana ement, FDIC’s current business environment for does not reflect the FDIC’s current rocedures for mana in its la to com uter inventor and managing laptop computers, including hard drives, or to define policy for the disposal of hard DIT’s current business environment. In addition, drives. Circular 1380.3 does not define the FDIC’s olic for the disposal of laptop computer hard drives. The lack of current olicies and rocedures in these areas limits the FDIC’s assurance that its la to com uter inventor , includin hard drives that ma contain sensitive information, are effectivel mana ed FDIC Policies and Procedures for Mana in the La to Com uter Inventor . Current hard drive destruction practices present a risk Implement additional measures that that a com uter hard drive could be lost and sub ect miti ate the risk of a com uter hard drive to unauthorized access Hard Drive Destruction bein lost durin the destruction rocess Practices . and subject to unauthorized access. Remed ® lacks sufficient access controls to ensure Im lement access controls and establish that com lete and accurate inventor records are Remed ® rocedures to track and record maintained for the FDIC’s la to com uters. the re lacement of la to com uters Further, Remed ® does not track re lacement returned to the vendor for service. laptops for malfunctioning computers. These control deficiencies limit the FDIC’s assurance re ardin the inte rit of its la to com uter inventor The FDIC’s Asset Management Module ).
6 We tested the laptop computer deployment process at FDIC locations in Arlington, Virginia; Washington, D.C.; Atlanta, Georgia; New York, New York; Chicago, Illinois; and Madison, Wisconsin.
5
FDIC POLICIES AND PROCEDURES FO R MANAGING THE LAPTOP COMPUTER INVENTORY The FDIC issued Circular 1380.3, Laptop Computer Assignments, Safeguards, and Asset Management , dated April 13, 1999, for the purpose of establishing policies and procedures for all FDIC-owned laptop computers throughout their life cycle. However, the circular does not reflect the FDIC’s current business environment for managing its laptop computer inventory. In addition, Circular 1380.3 does not define the FDIC’s policy for the disposal of laptop computer hard drives. The lack of current policies and procedures in these areas limits the FDIC’s assurance that its laptop computer inventory, including hard drives that may contain sensitive information, are effectively managed. Changes in the FDIC’s Business Environment and Procedures for Managing Laptop Computers Circular 1380.3 does not reflect the FDIC’s current business environment or procedures for managing laptop computers. For example, Circular 1380.3: • References the Information Technology Asset Management System (ITAMS) as the FDIC’s laptop inventory system. However, ITAMS was replaced by Remedy® in June 2004. • Requires that all laptops moved in and out of FDIC facilities be inspected by FDIC security personnel. However, according to FDIC Security and Emergency Preparedness officials, this practice has been discontinued for FDIC employees. • Requires equipment authorization tags to be fastened to the outside of laptop computer cases and to be visible at all times. However, this practice is no longer employed. Assigns the responsibility for periodic and annual inventories nationwide to the • Chief, Logistics Management Section, to ensure the accuracy of inventory records for all FDIC-owned laptops. However, this position no longer exists, and no other FDIC circular assigns this responsibility. • References the Division of Information Resources Management (DIRM), which was restructured as DIT in 2005.
6
Laptop Computer Hard Drives The DIT Guidelines that were developed specifically for the 2007 replacement and disposal of laptop computers contain detailed procedures to safeguard hard drives removed from laptop computers. However, Circular 1380.3 does not address the FDIC’s policy for the disposal of hard drives. During our review of the 2007 laptop deployment, DIT officials informed us that ensuring control over hard drives was a major concern because of sensitive information they may contain. The FDIC can achieve greater assurance regarding the disposal of computer hard drives and promote adherence to NIST security guidelines by addressing the disposal of hard drives in corporate policy. Recommendation on FDIC Policies and Procedures for Managing the Laptop Computer Inventory We recommend that the Chief Information Officer (CIO): (1) Update Circular 1380.3 to reflect the FDIC’s current business environment for managing its laptop computer inventory and to define policy for the disposal of hard drives. HARD DRIVE DESTRUCTION PRACTICES DIT disposed of laptop computer hard drives from the 2007 laptop deployment effort by transporting them to a suburban Washington, D.C., recycling facility for destruction. However, many of the hard drives had not been drilled, as a security precaution, prior to their transport to the recycling facility, presenting a risk that a computer hard drive could be lost during the destruction process and subject to unauthorized access. Current Destruction Process for Hard Drives Consistent with FISMA, NIST Special Publication 800-53 Revision 1, Recommended Security Controls for Federal Information Systems , recommends that organizations employ appropriate sanitization techniques for their information system media to prevent the disclosure of organizational information to unauthorized individuals when such media are reused or disposed of. On January 15, 2008, we accompanied an SRA employee to the recycling facility to observe the destruction of approximately 200 laptop computer hard drives. According to the SRA employee, these hard drives were from FDIC headquarters, regional, and field offices. DIT Guidelines require that hard drives from regional and field offices be drilled prior to shipment to the DDC. However, DIT Guidelines do not require that hard drives removed from laptops in headquarters offices be drilled prior to being transported for shredding. The destruction process at the recycling facility involved placing the
7
computer hard drives into cardboard boxes and then placing the boxes into an automobile that was about to be destroyed. An industrial crane was then used to compact the automobile and transport it to a conveyer belt, which then fed the automobile into an industrial shredder. However, as the automobile was being transported to the conveyer belt, we observed what appeared to be hard drives falling out of the automobile onto a large trash heap in the recycling facility’s scrap yard. Because many of the hard drives had not been drilled prior to being placed in the automobile, there is a risk that one or more of them may not have been destroyed and could be lost and subject to unauthorized access. Plans for Destroying Additional Hard Drives DIT recently deployed Pointsec, which automatically encrypts sensitive information stored on laptop computer hard drives. Pointsec significantly reduces the risk of a compromise of sensitive information whenever a laptop computer is lost or stolen. However, the computer hard drives destroyed on January 15, 2008 were removed from laptop computers that did not have the automatic encryption software. As a result, these laptop computer hard drives may have contained sensitive information in an unencrypted format. DIT plans to destroy a large number of other laptop computer hard drives, in the near future, that may also contain sensitive information in an unencrypted format. Accordingly, DIT should implement additional measures to mitigate the risk of a computer hard drive being lost during the destruction process and subject to unauthorized access. In this manner, the FDIC can reduce the risk of an unauthorized disclosure of sensitive information that could lead to potential legal liability or public embarrassment to the Corporation. Recommendation on Hard Drive Destruction Practices We recommend that the CIO: (2) Implement additional measures that mitigate the risk of a computer hard drive being lost during the destruction process and subject to unauthorized access. THE FDIC’s ASSET MANAGEMENT MODULE The FDIC uses the Remedy® Asset Management Module to manage its inventory of laptop computers. However, Remedy® lacks sufficient access controls to ensure that complete and accurate inventory records are maintained for the FDIC’s laptop computers. In addition, Remedy® does not track replacement laptop computers when a malfunctioning laptop, assigned to a user, is returned to the vendor for service. As a result, the FDIC cannot ensure the effective accountability for, and control of, laptop computers.
8
© 2010-2024 YouScribe